Free Malware Removal Forum

Welcome to MalwareRemoval.com,What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

I will be glad to help you with your log.
Would you please paste the entire log into a reply so I can look at the whole thing?
When you have the log in Notepad, you can hit Ctrl-A to highlight ALL, then Ctrl-C to copy to clipboard, and then Ctrl-V to paste after you click postreply here.

Ihatemalware,
-----------------------------------------------------------Disable Microsoft Anti-Spyware- Open Microsoft AntiSpyware. Click on Tools, Settings.
- In the left pane, Click on Real-time Protection.
- Under Startup Options, Uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
- Under Real-time spyware threat protection, Uncheck Enable real-time spyware threat protection (recommended).
- Click on the Save button and close Microsoft AntiSpyware.
- Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
- Reboot your machine for the changes to take effect.
-----------------------------------------------------------Set Your Computer to Show All FilesGo to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. In addition, if you have Windows XP, go to Start, Search. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.
-----------------------------------------------------------Download the Pocket Killbox from http://forum.malwareremoval.com/viewtopic.php?t=320 and see the instructions as well.
-----------------------------------------------------------Download and install CCleaner from here.
Don't run CCleaner yet.
-----------------------------------------------------------If you don't have it already, Download Ad-Aware SE Personal from here. Don't install the AdWatch feature at start (free version doesn't have it anyway) until your machine is completely clean, as it may interfere with fixes. Install, Check for Updates.
Run Ad-Aware and Click on the Scan Now Button
* Choose Perform Full System Scan
* DESELECT Search for negligible risk entries, as negligible risk entries (MRU's) are not considered to be a threat. (make it show a red X)
Click Next to begin the scan. When the scan is completed, the Performing System Scan screen will change its name to Scan Complete.
Click the Next Button to get to the Scanning Results Window where more information about the objects detected is available. Click the Critical Objects Tab. In general all of the items listed will be bad. To fix all the bad critical objects, right click on one of them, click the Select All entry in the pop-up menu to mark all entries. Click Next and then OK in the dialog box to confirm the removal.
1. Make a note of the items found by Ad-aware.

Reboot to complete the removal of what Ad-Aware SE found.

2.Are you familiar with Cyberus Online and Cybersurf.com? Your ISP?

3. Tell me what you know about this folder:
C:\Program Files\wtwh\I don't see any research info on aruc.exe in that folder, which usually means it's a bad guy. If you don't know what it is, right click the file, select properties, and tell me what it says.

4. Please also look at the properties of this file and tell me what it says. netdde.exe is normally a Microsoft file, but that folder name doesn't look right.
C:\WINDOWS\system32\??sks\netdde.exe

(The MS file by that name is usually in C:\windows\system32\
The latest version is 5.1.2600.2180, size is 111,104 bytes, )

Please let me know what you get, and we will proceed.
We will get to that link.

i had never heard anything of cyberus online or cybersurf. My ISP is 3web in Canada. However i google searched the too and there may be a connection between the two. so i really dont know what to tell you about cybersurf.
Folder wtwh contains aruc.exe and a sub-folder owoo the subfolder seems to contain nothing...
Size of aruc.exe - 67,072 bytes
Read only file
Created on July 2 2005
Mod september 14 2005
Accessed sep 17, 2005

As for netdde i also have no idea lol. using search for files and folders i found two files called netdde. both applications.
Both have description - Network DDE - DDE Communication.
1rst file location- C:\WINDOWS\ServicePackFiles\i386
1rst file size - 111,104 bytes
2nd file location - C:\WINDOWS\system32
file size and everything else is identical to other file.

Ihatemalware,
-----------------------------------------------------------Please download, install, and update the free trial version of Ewido trojan scanner: from here : http://www.ewido.net/en/download/ * Install ewido security suite
* When installing, under "Additional Options", Uncheck "Install background guard" and Uncheck "Install scan via context menu".
* Launch ewido, there should now be an icon on your desktop. Double-click it.
* The program will go to its main screen
* On the left hand side of the main screen click Update.
* Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can also use the same download link http://www.ewido.net/en/download/ to manually update ewido.
-----------------------------------------------------------
Start Your Computer in Safe Mode.Reboot into Safe Mode by hitting the F8 key repeatedly as the machine boots, until a menu shows up. Choose Safe Mode from the list.
In some systems, this may be the F5 key, so try that if F8 doesn't work.
Extra instructions are here if you need them.
-----------------------------------------------------------
Close all open windows/programs/folders. Have Nothing else open while ewido performs its scan!.
It's extremely important not to open any windows while the scan is in progress.
Now Run Ewido * Click on scanner
* Click on Settings
* Under "How to scan" all boxes should be selected
* Under "Possibly unwanted software" all boxes should be selected
* Under "What to scan" select scan every file
* Click OK
* Click on Complete system scan
* Let the program scan the machine
* If ewido finds anything, it will pop up a notification.
* Let it fix whatever it finds
Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
* Click Save report
* Save the report to your desktop
* Exit ewido
-----------------------------------------------------------Remove log items with HighjackThis. Start HijackThis. If the opening screen shows, choose None of the above, just start the program.
Click Scan. When the Scan is complete, Check the following entries:(Some of these lines may be missing)
O4 - HKCU\..\Run: [Rnta] C:\Program Files\wtwh\aruc.exe

Make sure all other windows except HJT are closed, and Click Fix Checked.
Exit HJT
-----------------------------------------------------------Folder Deletion.Take one more look at the file aruc.exe in C:\Program Files\wtwh\ Right click the file, select properties, Uncheck Read Only, click Apply and OK
If no company is listed in properties menu that you recognize, proceed with this deletion:
In Windows Explorer(My Computer), Find and Delete these folder(s), if present:
C:\Program Files\wtwh\Note any folder you cannot delete.
You may have to delete all the underlying files and folders before a target folder can be deleted.
If you have any problem deleting a file, right click the file and check Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
Note the name and location of any file you cannot delete.
-----------------------------------------------------------Post a New HJT LogReboot your computer (Normal Mode). Start HijackThis. Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply. Please also paste the entire Ewido log report into your reply.

P.S. As i post this reply im still getting the pop up. i see ewido found a the aruc trojan but either its not gone or thats not whats giving me the pop-ups. oh and i was just wondering, did u look at the photos of the popups im getting in the link i posted in my first post?

I'm not forgetting about the Registry cleaner popup at all.
We need to find out what's calling it.
-----------------------------------------------------------Download L2mfix from one of these two locations:
http://www.atribune.org/downloads/l2mfix.exehttp://www.downloads.subratam.org/l2mfix.exeSave the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.
Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or two, Notepad will open with a log. Copy the contents of that log and paste it into this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder unless you are asked to do so!We need to see the log contents before proceeding with any fixes.
-----------------------------------------------------------Download F-Secure's trial Blacklight program :
http://www.f-secure.com/blacklight/try.shtmlPrint out the help page for guidance.
Ok the license.
Check scan through Windows ExplorerClick ScanWhen animated graphics disappears, click NextNote any files and their locations that appear in the output summary.
-----------------------------------------------------------

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 72 seconds, including 8 seconds for message boxes)

Press Ctrl-Alt-Del to bring up Task Manager
Check whether there are any entries that resemble "adware.livechat"
If so, click "End Process"
-----------------------------------------------------------Remove log items with HighjackThis. Start HijackThis. If the opening screen shows, choose None of the above, just start the program.
Click Scan. When the Scan is complete, Check the following entries:(Some of these lines may be missing)
O4 - HKCU\..\Run: [Hbcoay] C:\WINDOWS\system32\??sks\netdde.exeMake sure all other windows except HJT are closed, and Click Fix Checked.
-----------------------------------------------------------Set Your Computer to Show All FilesGo to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. In addition, if you have Windows XP, go to Start, Search. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.
-----------------------------------------------------------Folder Deletion.In Windows Explorer, Find and Delete this folder(s), if present:
C:\Program Files\PurityScan\You may have to delete all the underlying files and folders before a target folder can be deleted.
If you have any problem deleting a file, right click the file and check Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
-----------------------------------------------------------Search for the folder corresponding to C:\WINDOWS\system32\??sks\ and write out its exact full name
-----------------------------------------------------------Start Killbox, Use standard file kill.(default settings).
Type the following into the box: C:\WINDOWS\system32\??sks\netbbe.exeexcept use the full name of the \??sks\ folder you looked up. Don't use the question marks. <edit> (only use the question marks if they are actually in the name of the folder)<edit>.

Click the red highlighted 'X' button and say yes to any prompt, then click OK.

If a file cannot be deleted, check delete on reboot for that file, and try it again.
When finished exit Killbox and restart your PC.
-----------------------------------------------------------Run CCleaner. Make sure the Cleaner block on the left is selected. Choose the Windows tab. Check everything EXCEPT cookies, and Autocomplete Form History and the Advanced part of the Menu. Choose Run Cleaner. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.
Click the Tools button. Click the "Uninstall" box, and the "Save Text File" button.
Paste the contants of the text file into your next reply.
-----------------------------------------------------------Post a New HJT LogStart HijackThis. Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply. Please do not use Word Wrap when you paste in the reply.
Please include the uninstall list from CCleaner.

that folder could not be found using hijack this or windows explorer or killbox
CLEANING COMPLETE - (9.010 secs)
------------------------------------------------------------------------------------------
26.6MB removed.

We are just about done. Your log looks better.
I see you have installed Limewire. I would suggest removing it. It has a history of purveying adware. Maybe you don't want to come back here so soon. If you MUST do file sharing, please look at the P2P info site below, and use a "safe" site.
Of course, the site is only part of it. The transfer of undocumented files means you are likely to get infections on a regular basis.

Removing LimeWire
To properly remove LimeWire you should use the uninstaller that comes with program.
1. Open the LimeWire folder.(C:\Program Files\Limewire)
2. Double click on the folder UninstallerData.
3. Double click on the Uninstall LimeWire 18c icon.
4. Follow the instructions on the screen to remove the program.

Please note that as long as you're using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur.
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation. Additional information on the safety of Peer to Peer Networks is here : http://www.spywareinfo.com/articles/p2p/ -(from NonSuch)
-----------------------------------------------------------If you open CCleaner, then click on the Tools button on the left, then click "Uninstall", it brings up the list of installed programs.
If you then click on the button in the lower right labeled "Save as Text file", and exit, you will find a file called "install.txt" in the CCleaner folder. It is usually installed in C:\Program Files\CCleaner\

Would you paste the contents of THAT file into a reply, along with a final (I hope) HJT log.
Thanks
askey127

Who is online

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.